The past two years have been a real wakeup call for the industrial automation industry. For the first time ever there is proof the industry has been the target of sophisticated cyber attacks like Stuxnet, Night Dragon and Duqu.
After the realization of targeted attacks came the next step and that was a huge number of security vulnerabilities exposed in industrial control products and regulatory agencies are demanding compliance to complex and confusing regulations. Cyber security has quickly become a serious issue for professionals in the process and critical infrastructure industries.
If you are a process control engineer, an IT professional in a company with an automation division, or a business manager responsible for safety or security, you may be wondering how your organization can get moving on more robust cyber security practices.
In order to provide guidance in this area, Eric Byres, chief technology officer at Tofino Security and John Cusimano, director of security at exida, wrote a white paper entitled “7 Steps to ICS and SCADA Security.”
The following is an excerpted version of the paper:
Step 1 – Assess Existing Systems
Your first step is to do a risk assessment to quantify and rank the risks that post a danger to your business. This is necessary so you know how to prioritize your security dollars and efforts. Far too often we see the assessment step skipped and companies throw money into a solution for a minor risk, leaving far more serious risks unaddressed.
While risk assessment might seem daunting, it can be manageable if you adopt a simple, lightweight methodology.
Step 2 – Document Policies and Procedures
We highly recommend organizations develop ICS-specific documents describing company policy, standards and procedures around control system security. These documents should refer back to corporate IT security documents. In our experience, separate ICS security documents greatly benefit those responsible for ICS security, helping them clearly understand their security-related expectations and responsibilities.
You should also become familiar with applicable security regulations and standards for your industry.
Step 3 – Train Personnel & Contractors
Once you have documented your policies and procedures, you need to make sure your staff is aware of them and is following them. An awareness program should be carried out, with the support of senior management, to all applicable employees. Then, you should conduct a training program. We highly recommend a role-based training program for control systems security.
Step 4 – Segment the Control System Network
Network segmentation is the most important tactical step you can take to improve the security of your industrial automation system. The white paper explains the concepts of “zones” and “conduits” and provides a high level network diagram showing them.
Step 5 – Control Access to the System
Once you’ve partitioned your system into security zones, the next step is to control access to the assets within those zones. It is important to provide physical and logical access controls.
Typical physical access controls are fences, locked doors, and locked equipment cabinets. The goal is to limit physical access to critical ICS assets to only those who require it to perform their job.
The same concepts apply to logical access control, including the concept of multiple levels of control and authentication. Once authenticated, users can gain authorization to perform certain functions.
Step 6 – Harden the Components
Hardening the components of your system means locking down the functionality of the various components in your system to prevent unauthorized access or changes, remove unnecessary functions or features, and patch any known vulnerabilities.
This is especially important in modern control systems which utilize extensive commercial off-the-shelf technology. In such systems, it is critical to disable unused functions and to ensure configurable options are set to their most secure settings.
Step 7 – Monitor & Maintain System Security
As an owner or operator of an industrial control system, you must remain vigilant by monitoring and maintaining security throughout the lifecycle of your system. This involves activities such as updating antivirus signatures and installing security patches on Windows servers. It also involves monitoring your system for suspicious activity.
It is important to periodically test and assess your system. Assessments involve periodic audits to verify the system is still configured for optimal security as well as updating security controls to the latest standards and best practices.
Effective ICS and SCADA security is not a one-time project. Rather, it is an ongoing, iterative process. You will need to repeat the 7 steps and update materials and measures as systems, people, business objectives and threats change.
The reward for your hard work will be the knowledge your operation has maximum protection against disruption, safety incidents and business losses from modern cyber security threats.